Using BGP Flow-Spec for distributed micro-segmentation Davide Pucci / 12019364 Attilla de Groot / Cumulus Networks
Data Center micro-segmentation Layer 2 segmentation Layer 3 segmentation VLANs to isolate multiple flows VRFs to separate routing tables. over the same link. Micro-segmentation Apply custom security filtering within the same VLAN. 2
Border Gateway Protocol (BGP) BGP is the de-facto Internet routing protocol. AS #1 AS #2 Pulls intra-Autonomous System prefixes, relying on iBGP. AS #3 Exchanges these internal prefixes with neighbouring Autonomous Systems to 1.0.0.0/8 enable proper routing, relying on eBGP. 3
BGP Flow Specification Extension of BGP, born with the only aim of DDoS attacks mitigation. RFC 5575 The Flow-Spec controller spreads Dissemination of Flow filtering policies to its neighbours, the Specification Rules clients. Regulate actions against given prefixes with extended communities, relying on BGP for the diffusion. August 2009 4
BGP in Data Centers Third-wave applications moved most RFC 5575 of the traffic to a east-west RFC 7938 direction. Dissemination of Flow Use of BGP for Routing in Specification Rules This change introduced the need of Large-Scale Data Centers more elastic Data Centers. All the switches represent a (private) Autonomous System. August 2016 5
Is the BGP Flow Specification applicable for Data Center micro-segmentation ? 6
Distributed micro-segmentation with Flow-Spec route flow4 { src 2.0.0.1/32 ; dst 1.0.0.1/32 ; } { bgp_ext_community.add( (generic, 0x 8006 0000, 0x 0 ) ); }; Flow Specification Flow Specification controller clients 7
Open source implementations Bird for controller capabilities FRR for client capabilities as none of them implements routes injection over the underlying system Custom utility for rules injection 8
Open source implementations Bird FRR Starting from version 2.0, Used to be unable to relay it correctly implements the whole Flow-Spec announcements, later Flow-Spec specification. patched by working together with Cumulus Networks developers. 9
Rules fetcher ~ iptables on the controller fs-controller:~# iptables -L FORWARD Chain FORWARD (policy DROP ) num target prot opt source destination 1 ACCEPT all -- 2.0.0.1 1.0.0.1 10
Rules fetcher ~ Flow-Spec routes on Bird # default policy # rule 1 route flow4 { route flow4 { src 0.0.0.0/0 ; src 2.0.0.1/32 ; dst 0.0.0.0/0 ; dst 1.0.0.1/32 ; } { } { # traffic drop # traffic-mark as rule number bgp_ext_community.add( bgp_ext_community.add( (generic, 0x 8006 0000, 0x 0 ) (generic, 0x 8009 0000, 0x 1 ) ); ); }; }; 11
Rules transit BGP UPDATE BIRD FRR controller clients 12
Rules injector ~ Flow-Spec routes on FRR fs-client# show bgp ipv4 flowspec detail json { { "to":" 1.0.0.1/32 ", "to":" 0.0.0.0/0 ", "from":" 2.0.0.1/32 " "from":" 0.0.0.0/0 " }, }, { { "ecomlist":"FS:marking 1 " "ecomlist":"FS:rate 0.000000 " }, }, { { "time":"00:00:09" "time":"00:00:09" } } 13
Rules injector ~ iptables on the controller fs-client:~# iptables -L FORWARD Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 FLOWSPEC all -- anywhere anywhere [...] fs-client:~# iptables -L FLOWSPEC Chain FLOWSPEC (1 references) num target prot opt source destination 1 ACCEPT all -- 2.0.0.1 1.0.0.1 2 DROP all -- anywhere anywhere 14
Flow Specification is suitable for such a purpose and A. Rules numbering must be carried along with routes, preferably with own extended community sub-type B. A proper implementation of routes injection in the underlying system is still missing C. Rules application can be filtered at a BGP level, using the Route Target extended community to achieve higher scalability 15
Thank you. Davide Pucci https://davidepucci.it Cumulus Networks https://cumulusnetworks.com Security and Network Engineering https://os3.nl University of Amsterdam https://uva.nl 16
Recommend
More recommend
